Accept a scan request as a vendor
If a Veracode customer (enterprise) requests an assessment of your code through the third-party scan process, you must first review the request.
Prerequisites
Before you can review third-party scan requests, you must have:
- Received a third-party application scan request.
- The Creator, Submitter, or Security Lead role to create and upload files for a scan. If you do not have these roles, contact Veracode Technical Support.
- The Security Lead role or be a member of the team associated with the application to accept a third-party scan request.
- Ensured that you can provide the requested assets for scanning, such as application code for Static Analysis or SCA, or web application URLs or API specifications for Dynamic Analysis scanning. requested before uploading code for static analysis and providing information for Dynamic Analysis.
Locate the scan request
When you sign in to the Veracode Platform, go to My Portfolio > Applications. The requested application is in your applications list with a status of Agreement Pending. To accept the third-party scan request, select the application name to open the application overview.
Accept the third-party terms
If you are fulfilling a third-party scan request for the first time:
To complete this task:
- Review all the information on the Accept Third-Party Request page and select the checkbox that indicates that you agree to the scan results being shared with the requesting customer.
- Select Continue to proceed with the application scan request.
Accept the scan request
After accepting the third-party terms, you can accept the scan request.
To complete this task:
- Select Accept Request. If you have more than one scan type requested, you must also select the type of scan. The Accept Third-Party Request page opens, showing the information requested by the Veracode customer. The page includes information about the policy against which the application will be assessed. To view details about the policy, select help
next to the policy name. - Review all the information and select the Sharing Results checkbox.
- Select Continue.
- Depending on which type of scan you request, the relevant scan configuration page opens.
If the application information is incorrect or if you have questions about the Veracode Assessment Agreement, contact Veracode Technical Support. For example, the Veracode customer might request an incorrect version or platform for the application.
About vendor rescanning and publishing
After Veracode completes a scan of your application, you can choose to rescan the application or publish the scan results to your enterprise customer.
Rescanning your application
After your scan completes, and you have fixed all the flaws that the initial scan discovered, you can rescan your application if your enterprise customer has given you permission to do so. Rescanning enables you to check that you have remediated your vulnerabilities before you publish the results. Select Rescan and complete the scan request steps as you did for the initial scan.
Publishing your results
When you are satisfied with the results of your final scan, you can then publish the results to your enterprise customer. If you have the Security Lead role, select Publish to Enterprise to publish your results.
In the Publish Results to the Enterprise window, to also share any Software Composition Analysis results, select the Include the SCA results checkbox.
Publish scan results
In some cases, the vendor and enterprise may agree to let the vendor review and mitigate results before the enterprise receives the summary results. In these cases, the vendor might be asked to publish the results to the enterprise once they are ready.
Before you begin:
- The vendor account must have the Security Lead role.
To complete this task:
- In the Veracode Platform, select My Portfolio > Applications.
- Select the name of the application whose results are to be published to the enterprise.
- Select Publish to Enterprise. The application status changes to
Published to Enterprise.